cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't get group policy to apply on my Meraki MX84

Comes here often

Can't get group policy to apply on my Meraki MX84

We have system-wide firewall rules in place (layer 3 and 7) that are pretty basic...disallow adult sites, gambling, etc. These work fine.

 

I created a new group policy to further restrict traffic and applied it to only one computer via the specific client page. But it's not working - that computer can still get through. Our network is pretty simple - we don't have any other group policies in effect.

 

Some things I've tried:

- Just waiting to see if it takes some time to take effect

- Moving the client back to "normal" profile, waiting, then moving it back to my custom GP

- Removing the firewall rules in the gp, waiting, then re-applying. 

- If I move one of the GP rules to the system-wide firewall rules, that works. 

 

Any ideas? Feel like I'm missing something obvious here, but everything looks to be set correctly. Thanks!!

 

client.PNGClient pagegp.PNGGroup policy

8 REPLIES 8
Kind of a big deal

Re: Can't get group policy to apply on my Meraki MX84

What specifically are you trying to block? Some things you might not be able to if they are encrypted.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Kind of a big deal

Re: Can't get group policy to apply on my Meraki MX84

They are only applied when the client reconnects, have you tried that?

 

More troubleshooting tips are here:

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Troubleshooting_G...

Comes here often

Re: Can't get group policy to apply on my Meraki MX84

Thanks... are you saying that I have to physically disconnect the computer from the LAN (unplug the ethernet cable) and reconnect? Or is there some other disconnect you're referring to? This PC is always hard-wired in today... That's going to be a real pain if I have to do that for every PC I need to apply group policies for. 

 

 

Highlighted
Kind of a big deal

Re: Can't get group policy to apply on my Meraki MX84

Well it's a sure way to get the policy to apply immediately. The problem is that otherwise flows could be kept open. Can you try cycling the port the client is connected to?

Comes here often

Re: Can't get group policy to apply on my Meraki MX84

So I unplugged the machine this morning, replugged it, and the restrictions still aren't taking effect. This seems like such a simple thing but I can't figure out why it's not working.

Kind of a big deal

Re: Can't get group policy to apply on my Meraki MX84

What are you using to test? I'll have a try here to see if it works for me.

Comes here often

Re: Can't get group policy to apply on my Meraki MX84

I'm looking purely at the Meraki dashboard and our SIEM tool that is pulling logs from the Meraki. Given the rules specified in the group policy I screenshotted in my post, I would expect an IP like 81.161.59.85 to be blocked, for example. But both tools show me there is still traffic flowing to that IP.

I'll add that this is an employee's computer and I haven't gotten around to actually monitoring the traffic _on_ the machine (for example, using Wireshark), but I felt the tools I listed above are evidence enough. And I'd prefer to block this kind of traffic on the network side anyway, rather than trying to fix individual computers.

Thanks a ton for your help!
Comes here often

Re: Can't get group policy to apply on my Meraki MX84

Another data point - in the group policy we have all file sharing sites blocked in layer 7, including dropbox. I just confirmed that dropbox was indeed blocked from the computer. I tweaked that layer 7 rule to allow dropbox, and now it's accessible from that computer.

So it seems like it's working, sort of. But my layer 3 IP rules and my layer 7 country rules are not.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.